Page 41 - Cyber Warnings
P. 41
visibility and access to the device, and may even be remotely controlled by the hacker, while the
victim or their employer are not aware.
Android Adds Protection
When this vulnerability was first discovered, it was believed that the operating systems
vulnerable to Accessibility Clickjacking extended only through KitKat (4.4.x). With the
introduction of Lollipop (5.x), Android developers recognized this vulnerability and added extra
protection to the OK button that would activate any new Accessibility Service.
Although touches can be passed through a graphical overlay in general, this is not allowed for
this final OK button, which now requires a direct tap on the exposed button. With this strategy,
the user would be sure to recognize the implications of that action.
Shortly after the initial discovery I found myself in a hotel room thinking about this exploit, sure
that there must be something I was missing, when it hit me. The door to my hotel room blocked
my view of the hallway, yet a peephole allowed me a very small window to see through to the
outside.
Applying this thinking to the Lollipop protection, I imagined an OK button that was mostly
covered, but with a small hole in the graphical overlay that allowed a direct tap without the user
seeing what was really happening. With this strategy, Lollipop was also vulnerable to
Accessibility Clickjacking, bringing the total number of vulnerable devices up to 1.34 billion.
Here is a screenshot demonstrating Accessibility Clickjacking:
41 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
